CTB-Locker ransomware is now targeting websites

Ransomwares continue to improve and are aimed at increasingly bigger targets, moving from ordinary computers to entire business networks, as witnessed recently at the Hollywood Presbyterian Medical Center in the United States. The latest target for these ransomwares is websites.

Following Linux.encoder.1, the first ransomware to target Linux servers with the aim of shutting down a website, the IT security researcher, Benkow, has identified “CTB-Locker for websites”, a variant of the formidable CTB-Locker ransomware.

This ransomware follows the classic pattern with the contents of a website being encrypted (AES 256) pending payment of a ransom of 0.4 bitcoins (about 160 euros) while the original index.html page is replaced by a homepage showing a set of instructions.

The original page is replaced when the computer is infected

One of the distinctive features of this campaign is the number of languages available in the top right corner of the screenshot shown above. Although simply translated using Google Translate, the choice of languages shows that the campaign is aimed at as many victims as possible over a wide geographical area.

A messaging function is available for contacting the cybercriminals. Two files may also be decrypted and this is probably to demonstrate that the system works.

Some documents have been placed on the infected site. These include the list of files to be encrypted, the list of extensions targeted and also the list of files already encrypted which are available on the infected site in allenc.txt:

The name of the files that are already encrypted

Further WordPress vulnerability?

Not exactly. The distinguishing feature of CTB-Locker for websites is that it doesn’t only target sites running on WordPress or other Joomla! or Drupal types of CMS (Content Management System). Indeed, we have managed to analyze various infected sites which did not use a CMS, so there is no point looking for a vulnerable plug-in.

The cause of the infection is still unknown, although some researchers are starting to point the finger at Shellshock vulnerability or, at least, a bad server configuration.

It should be remembered that the Shellshock bug, discovered in September 2014, allowed commands to be executed by a remote server via the Bash shell. Although this has since been dealt with, not all administrators have updated their systems.


In short

By the time it was detected, in mid-February 2016, the CTB-Locker for websites campaign had likely infected around one hundred sites. The unfortunate victims are faced with little choice as the only way of removing the threat is by a full restore from backup.

Below are the results of a search on Duckduckgo.com showing some infected sites:

Examples of infected sites